First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Government of Canada publishes proposed Breach of Security Safeguards Regulations

Breach of Security Safeguards RegulationsOn September 2, 2017, the Government of Canada published proposed Breach of Security Safeguards Regulations. The proposed regulations relate to the provisions in Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), which are not yet in force. The PIPEDA provisions will require an organization to notify affected individuals, and report to the Office of the Privacy Commissioner of Canada (“OPC”), as soon as feasible, regarding any data breach which poses a “real risk of significant harm” to any individual whose personal information was involved in the breach. The breach provisions in PIPEDA specify that such notification and reporting must be done in accordance with regulations passed pursuant to PIPEDA. Representations on the proposed regulations may be submitted up to October 2, 2017.

Failure to notify the OPC of a security breach, as required by the PIPEDA provisions yet to come into force, is an offence, punishable by a fine of up to $100,000. PIPEDA also contains a private right of action for affected individuals, which could result in damages being awarded by the Federal Court of Canada for failure to notify affected individuals. This private right of action also opens the door to potential class actions for an organization’s failure to comply with the breach notification provisions in PIPEDA.

The breach provisions in PIPEDA also require organizations to notify any other organization that may be able to mitigate harm to affected individuals, for example, service providers and law enforcement entities. In addition, organizations must maintain a record of any data breach and provide the record to the OPC upon request1

The proposed Breach Regulations specify that reports to the OPC must be in writing and must contain certain stipulated information, such as a description of the circumstances of the breach, the date or time period of the breach, an estimate of the number of affected individuals, a description of the steps taken to reduce the risk of harm, and a description of the organization’s notification or intended notification steps.

Notification to affected individuals must include similar information as provided to the OPC, and must also include:

  • a toll-free number or email address that affected individuals can use to obtain further information about the breach; and
  • information about the organization’s internal complaint process and about the affected individual’s right to file a complaint with the OPC.

Acceptable methods of direct and indirect notification to individuals are also set out in the proposed Breach Regulations. Indirect notification may be given in circumstances such as where the giving of direct notification would cause further harm to the affected individual, where the organization does not have the current contact information for affected individuals, or where the cost of giving direct notification is prohibitive for the organization.

We expect that consumer advocacy organizations may object to the inclusion of a cost factor for organizations in the proposed Breach Regulations, so it remains to be seen whether this part of the proposed regulations will ultimately survive.

By: Tamara Hunter and Kelly Friedman, DLA Piper

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.
Send to Kindle

, , ,

Comments are currently closed.